cl.exe is unable to import/read .pyd dependencies (Win_x86_64)

[unexondev]

I am trying to create a sandbox and perform some tests for the module which I'm reverse engineering, but I'm stuck at allocating a Sandbox; trying to solve issues for a few days but I'm still not able to solve it.

Error is here:

Traceback (most recent call last):
  File "C:\Dev\re-fivem\scripts\sandbox.py", line 20, in <module>
    sb.run()
    ~~~~~~^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\analysis\sandbox.py", line 565, in run
    super(Sandbox_Win_x86_64, self).run(addr)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\analysis\sandbox.py", line 136, in run
    self.jitter.continue_run()
    ~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitload.py", line 430, in continue_run
    return next(self.run_iterator)
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitload.py", line 398, in runiter_once
    self.pc = self.run_at(self.pc)
              ~~~~~~~~~~~^^^^^^^^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitload.py", line 351, in run_at
    return self.jit.run_at(
           ~~~~~~~~~~~~~~~^
        self.cpu, pc,
        ^^^^^^^^^^^^^
        set(self.breakpoints_handler.callbacks)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitcore.py", line 184, in run_at
    cur_block = self.disasm_and_jit_block(offset, cpu.vmmngr)
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitcore.py", line 161, in disasm_and_jit_block
    self.add_block(cur_block)
    ~~~~~~~~~~~~~~^^^^^^^^^^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\jitcore_gcc.py", line 86, in add_block
    check_call(cl, cwd = out_dir)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\subprocess.py", line 419, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['cl', '/nologo', '/W3', '/MP', '/Od', '/DNDEBUG', '/D_WINDOWS', '/Gm-', '/EHsc', '/RTC1', '/MD', '/GS', 'C:\\Users\\Unex\\AppData\\Local\\Temp\\tmp19nk3t7c.c', '-IC:\\Users\\Unex\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\miasm-0.1.5-py3.13-win-amd64.egg\\miasm\\jitter', '-IC:\\Users\\Unex\\AppData\\Local\\Programs\\Python\\Python313\\Include', 'C:\\Users\\Unex\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\miasm-0.1.5-py3.13-win-amd64.egg\\miasm\\jitter\\VmMngr.cp313-win_amd64.pyd', 'C:\\Users\\Unex\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\miasm-0.1.5-py3.13-win-amd64.egg\\miasm\\jitter\\arch\\JitCore_x86.cp313-win_amd64.pyd', 'C:\\Users\\Unex\\AppData\\Local\\Programs\\Python\\Python313\\Include\\..\\libs\\python313.lib', '/link', '/DLL', '/OUT:C:\\Users\\Unex\\AppData\\Local\\Temp\\tmpg5n0n976.cp313-win_amd64.pyd']' returned non-zero exit status 2.

Also CL.exe logs why the error is occured:

C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\VmMngr.cp313-win_amd64.pyd : fatal error LNK1107: Dosya geçersiz veya bozuk: 0x270 üzerinde okunamıyor

In english: (Invalid file name or broken, it can't be read at 0x270)

CL.exe is tried to be run with following arguments by Miasm:

Arg: /nologo
Arg: /W3
Arg: /MP
Arg: /Od
Arg: /DNDEBUG
Arg: /D_WINDOWS
Arg: /Gm-
Arg: /EHsc
Arg: /RTC1
Arg: /MD
Arg: /GS
Arg: C:\Users\Unex\AppData\Local\Temp\tmp19nk3t7c.c
Arg: -IC:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter
Arg: -IC:\Users\Unex\AppData\Local\Programs\Python\Python313\Include
Arg: C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\VmMngr.cp313-win_amd64.pyd
Arg: C:\Users\Unex\AppData\Local\Programs\Python\Python313\Lib\site-packages\miasm-0.1.5-py3.13-win-amd64.egg\miasm\jitter\arch\JitCore_x86.cp313-win_amd64.pyd
Arg: C:\Users\Unex\AppData\Local\Programs\Python\Python313\Include\..\libs\python313.lib
Arg: /link
Arg: /DLL
Arg: /OUT:C:\Users\Unex\AppData\Local\Temp\tmpg5n0n976.cp313-win_amd64.pyd

I think problem is about cl.exe to identify .pyd files. When I use GHidra and open up those .pyd modules, I can successfully analyze them. Somehow cl.exe is not able to access them. Consider that I'm running all the commands as administrator. Error is not previliege related.

cl.exe version: 19.42.34436
Python version: 3.13.1
Used Visual Studio Installer to install Clang.
clang version 18.1.8
clang target: x86_64-pc-windows-msvc

Also I installed miasm with pulling latest version from Miasm Git repository.
Miasm version: miasm-0.1.5-py3.13-win-amd64

[serpilliere]

Hi @unexondev
I don't know exactly your setup, but you are not the first one to have troubles running the jitter on windows.
What I can advise is to install llvm on your system, and switch to a llvm backed jitter.
It seems to work on our regression tests on windows: They run on travis, using llvm backend.
(see logs on https://ci.appveyor.com/project/cea-sec/miasm)

You can also use the 'python' jitter, which is really slow, but doesn't depend on llvm nor cl.

I hope it helps!

[unexondev]

Hello @serpilliere . It's important to mention that LLVM backend jitter works only and only if your LLVM version is 15.x.x

It's because your dependency - llvmlite library - is not getting any updates since LLVM 15 was released. The latest version of llvmlite (which users install with pip install llvmlite command and it's 0.44) is compatible with LLVM-15.x.x version(s).

I think mentioning it'd help people working on Windows. It was really nightmare for me to build a single Sandbox.

Maybe can you add a few lines on README to let people notice that? Thanks for help.

Edit: Oh, I thought my problem was about that but actually it isn't. Yeah that's also a considerable thing but not the problem itself, the actual problem is libLLVM-X.X.dll doesn't exist in my LLVM binaries installed. That's because I have shared libs instead, I need to recompile LLVM again with setting dynamic libs = ON. Also, to do that you need a custom build; so the prebuild binaries will not do the job. That will cause a small issue which is that no registry entries will be created. Check this:

# setup.py:46
def win_get_llvm_reg():
    REG_PATH = "SOFTWARE\\LLVM\\LLVM"
    try:
      return winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, REG_PATH, 0, winreg.KEY_READ | winreg.KEY_WOW64_32KEY)
    except FileNotFoundError:
      pass
    return winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, REG_PATH, 0, winreg.KEY_READ)

This code actually has no job. For a proper installation (which satisfies other conditions to create a LLVM jitter properly) there will be no registry changes. You can consider that and go on a little change on setup.py maybe.

And of course, you need to mention people to build LLVM with dynamic build option = on, instead of creating shared libs; to avoid errors occured in for ex. LLVM-based jitter codes.

https://github.com/cea-sec/miasm/blob/master/miasm/jitter/llvmconvert.py#L239

For those people who is interested, during LLVM installation you need to set: -DLLVM_BUILD_LLVM_DYLIB=ON

[serpilliere]

Hi @unexondev
As the regressions tests are working on the travis engine, maybe a simple solution is to clone the way travis builds its windows machine?